Part 2 Flashcards

Question 1

Q

What is “direct evidence”?

Answer

A

Oral testimony that proves a specific fact.

Question 2

Q

What is “documentary evidence”?

Answer

A

Commercial documents, prints, manuals, etc.

Question 3

Q

What are 3 rules for evidence”

Answer

A

1) Better evidence: the court prefers original documents.
2) The exclusionary rule: The data collected in violation of the 4th amendment (unreasonable search and seizure) is not eligible.
3) Whether or not there is ‘hearsay”. Which is second-hand evidence and is an option not admissible. Not even computer-generated hearsay.

Question 4

Q

What is “image capturing?”

Answer

A

Imaging a system can be a very effective way of preserving evidence.

Question 5

Q

What is a “forensic copy”?

Answer

A

It is a bitwise copy that includes integrity checks in the form of a hash.

Hashing tools and algorithms create message digests that show that a copy is equivalent to the original and has not been altered.

Question 6

Q

What is “time offset”?

Answer

A

This is when there is a time difference between two different computers, they are not synchronized in “real time”.

Question 7

Q

What is “preservation of evidence”?

Answer

A

This is the process of making sure that evidence is purchased, identified, protected from tampering, transported, and stored properly. Digital copies can be edited and completed without a record of change.

Need to have safeguards against manipulation, whether intentional or not. Also collecting hashes helps as they validate copies of evidence.

Question 8

Q

What is the “recovery of evidence”?

Answer

A

This is determining relevant information and then retrieving it.

Question 9

Q

What is “strategic information gathering”?

Answer

A

This is the use of all resources to make decisions. This is limited to the management level.

Question 10

Q

What is “counterintelligence collection”?

Answer

A

This is the collection of information specifically directed to the strategic intelligence effort of another entity.

Question 11

Q

What are “Standard Operating Procedures (SOPs)”?

Answer

A

Both are needed for SOPs:
1) These are step-by-step directions on how to implement policies within an organization.
2) Standards are mandatory elements for the implementation of a policy.

Question 12

Q

What are “Trade Association Agreements (BPAs)”?

Answer

A

They are the legal agreements between partners. This is a legal agreement that outlines the terms, conditions, and expectations between partners.

Question 13

Q

What are “service level agreements (SLA)”?

Answer

A

These are negotiated agreements between two parties that outline service expectations. Technical metrics between the customer and service provider are usually described in this agreement.

Question 14

Q

What is an “interconnection security agreement (ISA)”?

Answer

A

It is a specialized agreement between organizations that have interconnected IT systems. ISAs document the security requirements that arise from such connections.

Question 15

Q

What are “Memorandums of Understanding (MOU)”?

Answer

A

These are legal documents that describe a bilateral agreement between the parties. The parties have some kind of shared goal.

Question 16

Q

What are “non-disclosure agreements (NDAs)”?

Answer

A

These are confidentiality agreements between a company and its staff, which describes the limits of secret corporate material and the disclosure of such information to unauthorized parties.

Question 17

Q

What are “Acceptable Use Policies (AUPs)”?

Answer

A

These are documents that describe what your organization considers appropriate use of its resources. This includes computer systems, email, the internet, and networks. The goal is to enable normal business productivity while limiting inappropriate use.

Question 18

Q

What are “workplace policies”?

Answer

A

These are policies that help the organization run better by providing rules that help people work together and allow adherence to standard operating procedures.

Question 19

Q

What is “onboarding”?

Answer

A

This is the process of hiring an employee and getting them going with workplace policies.

Question 20

Q

What is “offboarding”?

Answer

A

This is the process of removing an employee from the organization.

Question 21

Q

What are “data owners roles” responsible for?

Answer

A

These roles are responsible for data ownership and this is a business function where requirements for security, privacy, retention, and other business functions are set.

Question 22

Q

What are “system administrator data roles” responsible for?

Answer

A

These are administrative users responsible for keeping a system within defined requirements. They do not create the requirements, just enforcing them.

Question 23

Q

What are “users”?

Answer

A

These are ordinary users who have limited access and privileges, depending on their role and work activities.

Question 24

Q

What are “privileged users”?

Answer

A

These users have more access than ordinary users.

Question 25

Q

What is an “executive user”?

Answer

A

The is a special subcategory of a user. Often times these are people that do not need a high level of access but get it because of status; so they are natural targets of phishing attacks.

Question 26

Q

What is “risk management”? What is the importance of it?

Answer

A

The process of identifying, evaluating, and controlling threats to an organization’s capital and earnings. It enables organizations to try to prepare for the unexpected by minimizing additional risks and costs before they occur.

This allows companies to maximize their return on investment so that they can make more money.

Question 27

Q

What is “PII”?

Answer

A

This is a “customer’s” personal identifiable information.

Question 28

Q

What are 5 important benefits of risk management?

Answer

A

1) Create a safe workplace for all staff and customers.
2) save on unnecessary premiums.
3) reducing legal liability.
4) Protecting all persons and property involved from possible harm.
5) Provides protection against damaging events for both the company and the environment.

Question 29

Q

What are 5 possible impacts when a company has sucky risk management policies?

Answer

A

1) Death or injury to 3rd parties.
2) Property damage, including to commerical property, thrid-party property, or environmental property.
3) Security, or lack there of.
4) Finance. Everything costs money.
5) Reputation. Security risks can damage the ability of a company to make money.

Question 30

Q

What is “availability?”

Answer

A

The time required for a system to perform its intended functions.

Question 31

Q

What is “reliability”?

Answer

A

This is simply the measure of the lack of frequency of system failures.

Question 32

Q

What is “RTO”?

Answer

A

Recovery Time Objective.
The target time to resume operations after an accident.

Question 33

Q

What is “RPO”?

Answer

A

Recovery Point Objective.
The time period that represents the maximum acceptable data loss period.

The data loss is the differentiator. It is related to backup frequency.

Question 34

Q

What is “MTTR”?

Answer

A

Mean Time To Repair.
The measure of time it takes to repair a fault. This is the total downtime divided by the total failures.

Question 35

Q

What is “MTBF”?

Answer

A

Mean Time Before Failure.
This is a measure of the time between failures.

Question 36

Q

What are “mission-essential functions”?

Answer

A

These are essential functions that MUST occur for business operations.

Question 37

Q

What is “critical systems identification”?

Answer

A

This is identifying the data and systems that support mission essential functions.

Question 38

Q

What is “PIA”?

Answer

A

Private Impact Assessment.
This is the gap between desired and actual privacy performance.

Question 39

Q

What is “threat assessment”?

Answer

A

This is a structured analysis of the threats that a company faces. We can’t change the threats, only the way it affects us.

Question 40

Q

What are the 4 types of system threats?

Answer

A

1) Environmental: weather, lightning, storms, solar flares, etc.
2) Man-made: Hostile attacks or accidents by staff.
3) Insiders: Disgruntled or well-meaning employees who make a mistake that inadvertently harms the organization.
4) External: A threat outside the organization, attacking it.

Question 41

Q

What is “SLE”?

Answer

A

Single Loss Expectation.
This is the value of a loss expected from a single event.

Question 42

Q

What is “ARO”?

Answer

A

The is the annual occurrence rate, which is how many times a year we think something will happen.

Question 43

Q

What are 5 possible risk responses?

Answer

A

1) Avoid them by minimizing exposure.
2) Transfer of risk to another person through insurance or other methods.
3) Mitigate them by applying controls to reduce impact.
4) Just fix it, without testing.

Question 44

Q

What are “security deterrents”?

Answer

A

These are controls that hinder the attacker by reducing the likelihood of success from their point of view.

Question 45

Q

What are “security compensation controls”?

Answer

A

These controls are used to meet a requirement when one doesn’t have an option to directly address a threat.

Question 46

Q

What are “security preventative checks”?

Answer

A

These prevent specific actions, such as firewalls or mantraps, from being performed.

Question 47

Q

What are “security technical controls”?

Answer

A

These involve the use of some form of technology to address security problems, such as biometrics.

Question 48

Q

What are “security investigative checks”?

Answer

A

These are checks to help detect intrusions or attacks.

Question 49

Q

What are “security physical controls”?

Answer

A

These are capable of preventing specific physical actions from occurring.

Question 50

Q

What are “security corrective controls”?

Answer

A

These are used after the event and help minimize the extent of the damage.

Question 51

Q

What are “security administrative controls”?

Answer

A

These are procedures or policies used to limit security risks.

Question 52

Q

What is BIA?

Answer

A

Business Impact Analysis.
This is the process of determining the source and related values of risk elements in a process. It also describes how the loss of any critical function will affect an organization.

Question 53

Q

What is ALE?

Answer

A

This is the SLE multiplied by the ARO.

Question 54

Q

What is “OT”

Answer

A

Operational technology.

Question 55

Q

What is “Dd”?

Answer

A

Data domain.

Question 56

Q

What is “SAE, SOC”?

Answer

A

Standards of Attestations Engagement, System and Organizations Control

Question 57

Q

What is “DMARC”?

Answer

A

Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.

Question 58

Q

What is a “captive portal”?

Answer

A

Web page that the user of a public-access network is obliged to view and interact with before access is granted

Question 59

Q

What is a “LAMP server”?

Answer

A

A LAMP stack is used for backend or server-side development. A backend application is software that runs in an environment that’s hidden from end users.

Question 60

Q

What is “OAuth”? What version is currently in use?

Answer

A

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.

Question 61

Q

What is “PAM”?

Answer

A

Privileged Access Management (PAM) is an information security (infosec) mechanism that safeguards identities with special access or capabilities beyond regular users. Like all other infosec solutions, PAM works through a combination of people, processes and technology.

Question 62

Q

What is “vulnerability scan input”?

Answer

A

Vulnerability scanning involves using either a software or hardware-based scanner to locate soft spots in your code that can be exploited by known attack vectors. Soft spots are typically a result of unsanitized code that permits illegal inputs.

Question 63

Q

What is “GDPR”?

Answer

A

The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union.

Question 64

Q

What can “vulnerability scanning detect”?

Answer

A

A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organization’s IT department or a security service provide, possibly as a condition imposed by some authority.

Answer 65

A

The data owner is responsible for determining how the data may be used, while the custodian is responsible for implementing the protection to the data.

Answer 66

A

Mobile device management (MDM) is software that allows IT administrators to control, secure and enforce policies on smartphones, tablets and other endpoints.

Answer 67

A

TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop).

Answer 68

A

Continuous integration (CI) is the practice of automating the integration of code changes from multiple contributors into a single software project. It’s a primary DevOps best practice, allowing developers to frequently merge code changes into a central repository where builds and tests then run. Automated tools are used to assert the new code’s correctness before integration.

Answer 69

A

Continuous integration (CI) is the practice of automating the integration of code changes from multiple contributors into a single software project. It’s a primary DevOps best practice, allowing developers to frequently merge code changes into a central repository where builds and tests then run. Automated tools are used to assert the new code’s correctness before integration.

Answer 70

A

How fast read and write capabilities are. RAID 1 is fastest, but also most expensive.

Answer 71

A

SOAR (Security Orchestration, Automation, and Response) refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.

Answer 72

A

Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, with the result that the resolver sends the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place.

Answer 73

A

It is an error that will typically stop a program from running, also called a denial of service. A denial of service is NOT just with websites.

This type of error is unlikely to cause a data breach or allow privilege escalation, and permission creep occurs as individuals get more permissions.

Answer 74

A

It is used to pull together logs from multiple sources and performing collection and initial analysis on log collectors can help centralize and handle large log volumes.

Answer 75

A

The fusion centers represent a shared commitment between the federal government and the state and local governments who own and operate them.

Answer 76

A

This occurs when the registration or other info for the domain is changed w/o the original registrant’s permission.

Answer 77

A

This involves hackers gaining unauthorized access to wireless networks.

Wireless networks can most often be scanned from any smartphone. It is just a matter of finding networkings to try and brute force if needed.

Answer 78

A

War flying is the act of using an airplane and a wireless network detector to find wifi wireless network locations.

Answer 79

A

This is the process of eliciting information through conversation to gather useful information.

Answer 80

A

In a pharming attack, users aren’t tricked into navigating to a malicious website. Instead, the attacker steals data using malware background processes or automatically sends a user to a phishing website in their browser. Pharming is much more effective than phishing because it doesn’t require the user to click a link.

Answer 81

A

An Advanced Persistant Threat is a significant threat are those of state actors or nation-state actors who often have greater resources and skills at hacking, thus making them a more significant threat.

Answer 82

A

Adding an expression or phrase to an email, subject line or headers to protect or fool users. It can also be used for adding data as part of an attack, or into a conversation to get targets thinking about what attacker wants them to think about.

Answer 83

A

It is a social engineering technique where attackers use a reason that is intended to ne believable to the target for what they are doing.

Answer 84

A

This is an attempt to add SQL code to a web query to gain access to data.

Answer 85

A

A potentially unwanted program. Spyware and adware are common examples.

Answer 86

A

These are self-spreading malware that exploit vunerabilities to spread via a network.

Answer 87

A

This is a piece of software pretending to legitimate software or paired with legitimate softwareto gain entry to a system or device.

Answer 88

A

This is a remote access trojan, malware that gives the attacker remote access to the virtual machine.

Answer 89

A

Cross-site request forgery, it sends forged requests to a website, supposedly from a trusted user

Answer 90

A

This is the injection of scriptsinto a website to exploit the users.

Answer 91

A

This tries to put more data in a variable than a variable can hold.

Answer 92

A

This attempts to redirect traffic intended for a legitimate site to another maliscious site. Attackers usually do this by changing the local hosts file or by exploiting a trusted DNS server.

Answer 93

A

This is changing the password for an account, often because of a compromise or to prevent a user from logging back into it while preserving the accoubnt.

Answer 94

A

This is a brute force attack which uses a smaller list of common passwords across many accounts to attempt to login. I.e. is a attack on everyone in the marketing department.

Answer 95

A

End user licensing agreement. It is the contract that users sign when they use software.

Answer 96

A

This is an enumeration test to enumerate and scan for vulnerabilities. Often used by bug bounty researchers and corporate security teams to find issues, patch defects, and manage environments.

Answer 97

A

Targeting a specific group of people.

Answer 98

A

Malware performs its malicious activity when some condition is met.

Answer 99

A

Entering a script into text areas that other users will view.

Answer 100

A

“It is about tricking users into clicking the wrong thing.

Answer 101

A

This pulls together logs from multiple sources, and performing and initial analysis on log collectors that can help centralize and handle large log volumes.

Answer 102

A

These are judges and observers during cybersecurity exercises.

Answer 103

A

APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.

Answer 104

A

This is typically an attempt to get HTTP data passed through a website and will not include SQL injection. Ways to prevent SSRF include blocking sensitive hostnames, IP
addresses, URLs, and the use of whitelist-based input filters.

Answer 105

A

This is called a black-box or zero-knowledge test because it does not provide information beyond the basic information needed to identify the target.

Answer 106

A

This is a white-test box that involves very complete information being given to the tester.

Answer 107

A

A pivot occurs when you exploit one machine and use that as a basis to attack other systems. This can be done from internal and external sites.

Answer 108

A

This is when the attacker places some malware between an application and some other file and intercepts the communication to that file (usually to a library or system API).

Answer 109

A

This is the process of changing names of variables, functions, and so forth in a program.

Answer 110

A

This is when many SYN packets are sent without a full three-way handshake.

Answer 111

A

It is a table to passwords on one side and hashes on another.

Answer 112

A

Atype of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.
These are usually based in Windows environments.

Answer 113

A

At the server level.

Answer 114

A

This is a Common Vulnerabilities and Exposures (CVE) list that has entries that describe and provide references to publically known cybersecurity vulnerabilities. A CVE feed will provide updated information about new vulnerabilities and a useful index number to cross reference with other services.

Answer 115

A

This exploits the birthday problem in probability theory and relies on finding collisions between random attempts and the number of potential permutations of a solution.

These attacks are one method of attacking cryptographic hash functions. They are not a social engineering attack, a network denial-of-service attack, or a TCP/IP protocol attack.

Answer 116

A

This is a list of words that are believed to be likely passwords.

Answer 117

A

This is when an attacker takes over an authenticated session.

Answer 118

A

This attack seems to make a Transport Layer Security (TLS) connection use a weaker cipher version, thus allowing the attacker to more easily break the encryption and read the protected data.

Answer 119

A

This is when the attacker attempts to force the victim into disassociating from a resource, like a network connection creating a MITM potential scenario.

Answer 120

A

This attack usually targets personal information and sensitive issues like credit card numbers and passwords.

Answer 121

A

Then is when there is an attempt to transfer blame to another organization. This happens a lot in the military.

Answer 122

A

This is an attempt to overflow a switch’s MAC table, causing the switch to send all traffic to all ports rather than to the port that a given MAC address is associated with. This is an attack that happens with older switches.

Answer 123

A

A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.

Answer 124

A

It is malware that records user activities.

Answer 125

A

This is a server with a database admin account only and does not have a password. It is very easy to crack.

Answer 126

A

This is when the attacker gains access to systems or accounts with a higher security or trust level.

Answer 127

A

This is when boundaries are not checked in a variable and the attacker tries to put in more data than the variable can hold.

Answer 128

A

This is aka social proof, a social engineering attack that leverages the fact that people are often willing to trust groups of other people.

Answer 129

A

When memory is allocated but not de-allocated.

Answer 130

A

These are viruses that take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory.

Answer 131

A

aka Address Resolution Protocol (ARP) spoofing, this is when an attacker sends malicious packets to the default gateway of a local area network, causing it to change the mappings it maintains between the hardware (MAC) addresses and IP addresses.

Answer 132

A

Nothing, it is not a term used.

Answer 133

A

This causes memory exhaustion or other issues over time as memory is not properly reclaimed. Leaks do not actually leak and they do not allow SQL injection.

Answer 134

A

As firmware updates.

Answer 135

A

This sends unsolicited messages to Bluetooth devices.

Answer 136

A

This is dialing numbers hoping a computer modem answers.

Answer 137

A

These are lists of common passwords as well as common substitutions to attempt to break into a system or service.

Answer 138

A

These lock out attackers after a small number of incorrect password attempts, which can slow or stop dictionary attacks and other brute-force password attacks.

Answer 139

A

These are attacks against target groups by focusing on commonly shared behaviors like visiting specific websites.

There are no such things as watercooler, phishing net, and phish pond attacks.

Answer 140

A

Focuses on user input validation and filtering of output to ensure that an excessive amount of data is not being returned in queries. As with all services, LDAP should be one of the first to be secured.

Answer 141

A

This is used to ensure that website certificates are current, but it does not prevent URL redirection attacks.

Modern browsers display the full URL to prevent this.

Answer 142

A

These attempt to exploit tools that can read directories and files by moving through the directory structure.

Adding common directory names and common filenames can allow attackers and penetration testers to read other files in accessible directories if they are not properly secured.

Answer 143

A

This is intended to prevent supply chain attacks by ensuring end-to-end supply security for important circuits and electronics.

Answer 144

A

threatmap.com
fortiguard.com
threatmap.checkpoint.com

Answer 145

A

These are a combination of red and blue teams intending to leverage the techniques of both sides to improve organizational security.

Answer 146

A

These are attempts to exploit tools that can read directories and files by moving through the file structure.
I.e. reading.the config.txt file three layers above the working directory. Adding common directory or file names can allow attackers (or penetration testers) to read other files of directories not properly secured.

Answer 147

A

Security orchestration, automation, and response. Designated to integrate with a broader range of both internal and external applications.

Answer 148

A

Windows Security Account Manager (SAM) file and /etc/shadow file for Linux.

These are both common places for brute farce attacks.

Answer 149

A

This requires attackers to pursuade victims to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim.

It is not a brute force attack, a Trohan attack wpuld require malware, and a downgrade attack would try to move the encrypted session to a less secure encryption protocol.

Answer 150

A

It is intended to prevent supply chain attacks by ensuring end-to-end supply chain security to important circuits and electronics.

Answer 151

A

threatmap.fortiguard.com or threatmap.checkpoint.com

These are visualizations of real-time or near real-time data gathered by vendors and other organizations that can help visualize major threats and aid in analysis of them.

Answer 152

A

It involves accessing data from a Bluetooth device when it is range.

Answer 153

A

This involves sending unsolicited messages to Bluetooth devices when they are in-range.

Answer 154

A

1) Type and scope of testing
2) client contact info
3) requirements for when the team should br notified
4) sensitive data handling requirements
5) details of regular meetings and reorts.

Answer 155

A

It starts a reverse shell and is often on port 8989.

Answer 156

A

This threat this is not openly available, OSINT, or open source threat intelligence.

Answer 157

A

The context of tgreat hunting, as how to think like a malicious user to help you identify potential indicators of compromise in your environment.

Answer 158

A

It is a resource exhaustion attack that uses up all available sessions it is aimed at.

Answer 159

A

This is a type of social engineering that involves using a false motive and lying to obtain data.

Brainscape's Knowledge GenomeTM

Part 2 Flashcards

Brainscape's Knowledge Genome^TM